Random number generation is an important part of the security infrastructure in many application programs and operating systems. For example, random numbers are used to generate session keys and cryptographic keys for encoding data that is transmitted between two locations (such as between a client and a server). The use of such keys protects the integrity of the data and provides for the authentication of the data and authentication of the user attempting to access the data.
The quality of the random numbers generated is associated with the quality of the security provided by the application program or operating system. A perfect random number generator that produces a truly random sequence of bits is considered by many to be impossible. Thus, designers attempt to create “pseudo” random number generators that produce unpredictable sequences of bits in which no particular bit is more likely to be generated at a given time or place in the sequence than any other bit. This disclosure uses the terms “random number generator” and “pseudo random number generator” interchangeably.
The quality of the random seed used by the random number generator affects the quality of the random number created by the random number generator. Common techniques for creating a random seed include using operating parameters of the computer, such as time of day, date, available memory, and the like. In general, these types of parameters are regarded as sufficient for certain types of simple applications, but can lead to predictability in certain situations. For example, systems that use the computer's system time as the random seed can be predicted if the approximate system time is known, such as the time at which an email was generated. An analyst could test all possible times near the known approximate system time until the seed for the random number is discovered, thereby breaking the security of the system.
Many existing random number generation systems use data that is reset each time the computer system is reset, thereby limiting the quality of the seed data. Other random number generation systems use data that may be similar from one computer system to the next, such as time of day or date, thereby reducing the randomness of the seed data.
The system and method described herein addresses these limitations by providing a random number generator that uses random seed data that has been generated over the lifetime of the computer system.